Monday, November 28, 2005

Hacking Domino

For the last three years I've been sitting on a draft article, with the working title Domino Security by Obscurity, which I've always been in two minds about publishing. The methods it talks about display a considerable security flaw in Domino. Well, at least in the way applications are developed. Domino is, as we all know, as secure as you make it. From what I can tell though, the methods no longer works with Domino 6 and I feel safer talking about it now.
All design elements and documents in a Notes database are assigned a hex NoteID. The assignment of these IDs follows a pattern. Knowing this pattern we could access documents by guessing the URLs to them.
The first view in a database takes hex NoteID of 116 (278 in normal numbers). Each view added after that is 4 greater and so follows a pattern like 120, 12d, 122, 126 etc. Like so:
Documents start at a hex value of 8F6 (2294 in normal numbers) and also follow the same pattern. With this knowledge we could try and access the first document in the first view like this:
http://server/database.nsf/116/8F6The code tries to access ?OpenView URLs for the first 200 views in the pattern. If the URL returns a non-error code then the view exists and it gets logged. The code then returns the browser a set of links to try accessing the views it found. The links calls the servlet again, this time with a parameter that tells the servlet which view to try. With this view the code guesses URLs for the first 2000 documents it might contain. Any that exist are returned as links to the browser. Clicking the links returned can give you access to documents you had no other way of getting at.
So what? Well, imagine you've secured an application by hiding a view and thinking that prevents access to its documents. This is the obscuring bit, of which security plays no part.
The guy who first told me about this suggested I kept it under wraps. Although I never tried it on any public web server, he claimed to have gotten access to highly sensitive information from a couple of high profile financial companies. The main reason I didn't ever hand out the code I wrote is that I was scared about people testing it on this server. Repeated requests for URLs that cause errors will crash Domino.
I had all but forgotten about this code until I happened upon a Sourceforge project the other day called "Domino Hunter".
DominoHunter is an open-source security tool that is able to scan and detect structure vulnerabilities in Domino Web servers.
This Perl script takes the whole thing a little further and guesses actual file names of known databases, before going on to guess at view and documents IDs. Scary.
Does anybody know if this really has gone away in Domino 6?
Finally, please, please, please don't point either of the scripts at this server.
By Sir Jake Howlett

Saturday, August 20, 2005

How to use Gmail as your SMTP server

One of the little-known freebies Gmail offers is a portable SMTP server to send mail from any network for any email address.
Travellers who use their ISP's SMTP server to send mail with their email program (like Thunderbird or Outlook Express) can find themselves in a bind if they're on another network away from home, like at a coffee shop, airport or visiting relatives. But if you've got a free Gmail account (get one here) you can use Google's SMTP server to send mail through Thunderbird 
from [email protected]
 Update: Google rewrites the from address to your Gmail address.. Here's how to set it up:
  1. In your email client software, under Outgoing mail, set the SMTP server to smtp.gmail.com.
  2. Set the your username is [email protected] and make sure "Use username and password" is checked.
  3. Also check off "TLS" under "Use secure connection."
And voila! You can send mail for any email address from any network (that lets you connect to an outside SMTP server) using your Gmail account - be sure to enter your Gmail password when prompted.
Check out Gmail's help section on POP access for Gmail for specific instructions for setting this up with your email program. If you only want to use the SMTP server, skip the POP bits and only set up SMTP to work with your existing email account.
Update : I was remiss not to point out that Gmail will set the from address for messages sent through smtp.google.com to [email protected] when using this method. Profuse apologies.